== Stupid web spammer tricks

I'd call these [[stupid spider tricks StupidSpiderTricks]], except
that these were so visibly committed by web spammers. (In one case
they left me their spam, clearly visible.)

* you cannot take a _POST_ form's form elements, turn them into
  query parameters, ~~and then try to _GET_ the result~~.
* especially if you remove the existing query parameter on the URL
  of the form's target.
* you get modest bonus points if you _POST_ your query parameter
  laden URL instead of _GET_'ing it. Not enough bonus points to
  make it work, though.

I have to admire the determined necessary to carefully program your
software to do stuff like this. Or, alternately, the gleeful blindness
required to ignore the fact that there are two ways of submitting form
data, and just implementing the easier one and using it for everything.
(In this view, the _POST_ to _GET_ person is at least being consistent;
his software may not implement _POST_ at all.)

The existence of these things depress me, because the fact that the
web comment spammers do them suggests that they actually work against
some blog software. And that's just sad, but then a lot of web software
(starting with Apache) is very sloppy about this stuff.

(Accepting _POST_ requests in _GET_ form is especially bad because it
opens you up to lovely cross-site attacks if I can so much as persuade
you to click on a link. If you think this is obscure, consider how it
could be combined with cross-site authentication like OpenID to let it
be targeted. Add JavaScript, and I probably don't even need to get you
to explicitly click something.)